public inbox for bzip2-devel@sourceware.org
 help / color / mirror / Atom feed
* Bzip2 download and CVE-2019-12900 fix?
@ 2019-01-01  0:00 Jeffrey Walton
  2019-01-01  0:00 ` Mark Wielaard
  0 siblings, 1 reply; 4+ messages in thread
From: Jeffrey Walton @ 2019-01-01  0:00 UTC (permalink / raw)
  To: bzip2-devel

Hi Everyone,

Bzip2 downloads are available at ftp://sourceware.org/pub/bzip2/ . The
download is 1.0.6 and dated March 2019.

My question is, does the latest download include the fixes for CVE-2019-12900?

If not, when can we expect a patch or new download?

Jeff

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Bzip2 download and CVE-2019-12900 fix?
  2019-01-01  0:00 ` Mark Wielaard
@ 2019-01-01  0:00   ` Jeffrey Walton
  2019-01-01  0:00     ` Mark Wielaard
  0 siblings, 1 reply; 4+ messages in thread
From: Jeffrey Walton @ 2019-01-01  0:00 UTC (permalink / raw)
  To: Mark Wielaard; +Cc: bzip2-devel

On Wed, Jun 26, 2019 at 10:21 AM Mark Wielaard <mark@klomp.org> wrote:
>
> On Wed, 2019-06-26 at 10:10 -0400, Jeffrey Walton wrote:
> > Bzip2 downloads are available at ftp://sourceware.org/pub/bzip2/ .
> > The
> > download is 1.0.6 and dated March 2019.
> >
> > My question is, does the latest download include the fixes for CVE-
> > 2019-12900?
>
> No, not yet in 1.0.6. But everything is in git:
> https://sourceware.org/git/?p=bzip2.git;a=summary
> Including the CVE-2019-12900 fix:
>
> https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184
>
> > If not, when can we expect a patch or new download?
>
> Hopefully today.
> The release script is ready:
> https://sourceware.org/ml/bzip2-devel/2019-q2/msg00009.html
>
> But there is some discussion on whether to synchronize with an
> alternative setup with newer build systems and other changes:
> https://sourceware.org/ml/bzip2-devel/2019-q2/msg00014.html

Thanks Mark.

There's a lot to the msg00014.html list message. I run with a patched
version of Bzip2. Makefile and Makefile-libbz2_so need some polishing
to get them to respect CFLAGS and LDFLAGS. Otherwise they ignore our
flags.

Also, the recipe for libbz2.so.1.0.6 breaks on non-Linux systems
because -Wl,-soname is a GNU ld thing.

You can get an idea of the Makefile changes by comparing with
https://github.com/noloader/bzip2-noloader. Also see
https://www.gnu.org/prep/standards/html_node/Command-Variables.html .

Jeff

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Bzip2 download and CVE-2019-12900 fix?
  2019-01-01  0:00   ` Jeffrey Walton
@ 2019-01-01  0:00     ` Mark Wielaard
  0 siblings, 0 replies; 4+ messages in thread
From: Mark Wielaard @ 2019-01-01  0:00 UTC (permalink / raw)
  To: noloader; +Cc: bzip2-devel

On Wed, 2019-06-26 at 11:15 -0400, Jeffrey Walton wrote:
> There's a lot to the msg00014.html list message. I run with a patched
> version of Bzip2. Makefile and Makefile-libbz2_so need some polishing
> to get them to respect CFLAGS and LDFLAGS. Otherwise they ignore our
> flags.
> 
> Also, the recipe for libbz2.so.1.0.6 breaks on non-Linux systems
> because -Wl,-soname is a GNU ld thing.
> 
> You can get an idea of the Makefile changes by comparing with
> https://github.com/noloader/bzip2-noloader. Also see
> https://www.gnu.org/prep/standards/html_node/Command-Variables.html

Thanks. And yes, the current Makefiles are horrible. I am certainly not
arguing for not updating the build system to something more sane :)

It is just that if we are going to do a quick 1.0.7 release for the
latest CVE I think it should not mess up anything else, but just
contain those bug/security fixes (and remove all traces from the old
lost domain so people know it has been migrated to sourceware.org).
People have been using these horrible Makefiles either as is or have
known workarounds for them.

But yes, please lets also do a revamped 1.1.x release that makes some
tough decisions about what build system to adopt, possibly mess with
the SONAME, etc.

Cheers,

Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Bzip2 download and CVE-2019-12900 fix?
  2019-01-01  0:00 Bzip2 download and CVE-2019-12900 fix? Jeffrey Walton
@ 2019-01-01  0:00 ` Mark Wielaard
  2019-01-01  0:00   ` Jeffrey Walton
  0 siblings, 1 reply; 4+ messages in thread
From: Mark Wielaard @ 2019-01-01  0:00 UTC (permalink / raw)
  To: noloader, bzip2-devel

On Wed, 2019-06-26 at 10:10 -0400, Jeffrey Walton wrote:
> Bzip2 downloads are available at ftp://sourceware.org/pub/bzip2/ .
> The
> download is 1.0.6 and dated March 2019.
>
> My question is, does the latest download include the fixes for CVE-
> 2019-12900?

No, not yet in 1.0.6. But everything is in git:
https://sourceware.org/git/?p=bzip2.git;a=summary
Including the CVE-2019-12900 fix:

https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184

> If not, when can we expect a patch or new download?

Hopefully today.
The release script is ready:
https://sourceware.org/ml/bzip2-devel/2019-q2/msg00009.html

But there is some discussion on whether to synchronize with an
alternative setup with newer build systems and other changes:
https://sourceware.org/ml/bzip2-devel/2019-q2/msg00014.html

Cheers,

Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-06-27 13:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-01  0:00 Bzip2 download and CVE-2019-12900 fix? Jeffrey Walton
2019-01-01  0:00 ` Mark Wielaard
2019-01-01  0:00   ` Jeffrey Walton
2019-01-01  0:00     ` Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).